Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

URL filtering for Remote access VPN users

Hi All,

I have an ASA 5520 that is configured for remote access VPN and clients connect using IPSec or anyconnect SSL.

Most of the clients use non-split tunneling policy and the web traffic goes through the ASA. Our URL filtering server is on the inside network. I tried configuring URL filtering but did not work since the vpn clients get terminated on the outside (lower security interface) and the web traffic flows from outside to inside (higher security) and URL filtering will work only when the http traffic goes from higher security to lower security.

How can I enable URL filtering for remote access users?

Any ideas?

Meena

8 REPLIES

Re: URL filtering for Remote access VPN users

Hi Meena,

I don't think url filter is restricted for inside users to outside, can you check if the u-turn, hairpin is enable and working fine? if so, can you please post your url config here? are you including the vpn clients pool for url inspection? Can you post your config?

New Member

Re: URL filtering for Remote access VPN users

Based on this link,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

I see the following text under the Bckground Information.

You can filter connection requests that originate from a more secure network to a less secure network.

The tunnel default gateway is our perimeter firewall which is on the inside subnet of the ASA. I have not tried hairpinning the traffic yet.

Meena

Re: URL filtering for Remote access VPN users

Mhhh... is this topology sending back the traffic to the ASA after it is forwarded to the tunnel default gateway or is it sending it to another GW?

New Member

Re: URL filtering for Remote access VPN users

The topology is that the ASA is sending it to another deafult gateway.

The ASA's outside interface is facing the internet and the inside is connected to the DMZ interface of our perimeter firewall.

The tunnel default gateway is our perimeter firewall. So, the web traffic comes from outside and goes to inside and goes to the DMZ interface of our perimeter firewall and out through the outside interface of the perimeter firewall.

I should be able to hairpin the web traffic on the outside of the ASA. DO you think this will force the URL filtering?

Meena

Re: URL filtering for Remote access VPN users

Well since this traffic is at the end sent to this permiter firewall you might want to think about filtering url in that one (unless you want to modify the whole traffic flow) I think that hairpinning will allow you to do url filter on the asa itself since it somehow covers the "outbound" url filter rule.

New Member

Re: URL filtering for Remote access VPN users

I do not want to modify the whole traffic flow. I looked into doing the URL filtering on the perimeter firewall but it did not work out due to some licensing issues or some other reasons that are beyond me.

I still want to be able to use the perimeter firewall as the tunnel gateway but for port 80 non-internal traffic, I just want to hair-pin the traffic. I think I should be able to do this with some ACL and route statements.

Meena

Re: URL filtering for Remote access VPN users

Unfortunately, if you define a tunnel default gateway, all traffic including http traffic will be sent to that firewall, you would need to remove the tunnel default gateway to achieve the hairpin feature.

New Member

Re: URL filtering for Remote access VPN users

I kinf of realized that after I posted my reply last time. As soon as the traffic gets decrpted it gets routed to the perimeter firewall and I cannot apply any ACL.

I wish there is an easier way.

Meena

239
Views
0
Helpful
8
Replies